-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0980
Multiple vulnerabilities have been discovered within IBM
PureApplication system
16 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM PureApplication System
Publisher: IBM
Operating System: AIX
Red Hat
Windows
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0960 CVE-2014-0411
Reference: ASB-2014.0005
ESB-2014.0966
ESB-2014.0867
ESB-2014.0114
ESB-2014.0102
ESB-2014.0065
ESB-2014.0058
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21675216
http://www-01.ibm.com/support/docview.wss?uid=swg21675223
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM PureApplication System - Users can logon over SSH to system from
deployed VMs
Flash (Alert)
Document information
More support for:
PureApplication System
Security
Software version:
1.0, 1.0.0.1, 1.0.0.2, 1.0.0.3, 1.0.0.4, 1.1.0.0, 1.1.0.1, 1.1.0.2, 1.1.0.3
Operating system(s):
AIX, Linux Red Hat - xSeries, Windows
Reference #:
1675216
Modified date:
2014-06-09
Abstract
Security vulnerability found where local users can SSH to system from
deployed VMs
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2014-0960
DESCRIPTION:
The IBM PureApplication System contains a security bypass vulnerability
that might allow a local user to SSH to the system from a virtual machine.
CVSS:
CVSS Base Score: 6.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92743 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:C/I:C/A:C)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
AFFECTED PRODUCTS AND VERSIONS:
IBM PureApplication System 1.0 and later
IBM PureApplication System 1.1 and later
REMEDIATION:
Upgrade your IBM PureApplication System environment as follows:
For IBM PureApplication System 1.0 and later, upgrade to Version
1.0.0.4 cfix8 or later.
For IBM PureApplication System 1.1 and later, upgrade to Version
1.1.0.4 Interim Fix 1 or later.
WORKAROUND:
None
MITIGATION:
None
REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY:
06 June 2014 - Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -------------------------------------------------------------------------------
IBM PureApplication System - Vulnerability in current IBM SDK for Java -
January 2014 CPU
Flash (Alert)
Document information
More support for:
PureApplication System
Security
Software version:
1.0, 1.0.0.1, 1.0.0.2, 1.0.0.3, 1.0.0.4, 1.1.0.0, 1.1.0.1, 1.1.0.2, 1.1.0.3
Operating system(s):
AIX, Linux Red Hat - xSeries, Windows
Reference #:
1675223
Modified date:
2014-06-09
Abstract
Security vulnerability exists in the IBM SDK for Java that is shipped with
IBM PureApplication System
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2014-0411
DESCRIPTION:
The IBM PureApplication System is shipped with an IBM SDK for Java that is
based on the Oracle JDK. Oracle has released January 2014 critical patch
updates (CPU) which contain security vulnerability fixes. The IBM SDK for
Java has been updated to incorporate these fixes. .
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
The following advisories are included in the SDK but IBM PureApplication
System is not vulnerable to them. You will need to evaluate your own
code to determine if you are vulnerable. Please refer to the Reference
section for more information on the advisories not applicable to IBM
PureApplication System:
CVE-2014-0428 CVE-2014-0422 CVE-2013-5907 CVE-2014-0415 CVE-2014-0410
CVE-2013-5889 CVE-2014-0417 CVE-2014-0387 CVE-2014-0424 CVE-2013-5878
CVE-2014-0373 CVE-2014-0375 CVE-2014-0403 CVE-2014-0423 CVE-2014-0376
CVE-2013-5910 CVE-2013-5884 CVE-2013-5896 CVE-2013-5899 CVE-2014-0416
CVE-2013-5887 CVE-2014-0368 CVE-2013-5888 CVE-2013-5898 .
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
AFFECTED PRODUCTS AND VERSIONS:
IBM PureApplication System 1.0 and later
IBM PureApplication System 1.1 and later
REMEDIATION:
Upgrade your IBM PureApplication System environment as follows:
For IBM PureApplication System 1.0 and later, upgrade to Version
1.0.0.4 cfix8 or later.
For IBM PureApplication System 1.1 and later, upgrade to Version
1.1.0.4 Interim Fix 1 or later.
WORKAROUND:
None
MITIGATION:
None
REFERENCES:
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
None
CHANGE HISTORY:
06 June 2014 - Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU55AKRLndAQH1ShLAQKspBAAhX9XJmioDf9sg/aWanhXRTB/5A4IjaMm
QyDr4fk7auinVXy/vxmqX4foR6JsJM3Ox5jkr0wKjZ9InrinwxDhG+bFiagNAFjw
hOdEyCGxRxFOqtKvvAGbNovEybgF3e4MNPJk4lGFkN2mxIFeI2N2YLZYUVJLeofb
gKoAKtYbovYLIfvb1PBi+TcT4d7ayXhV9P4B3SV+Je+F03Dm3cZNNtpBzT+kPydY
w2rzytcu6sODyStZ/WHJ7eqPPXN9gESBa8kg+hZuDFDAOUQVrhEPBxtceKF5K94P
8jGA/PuqLhhlQE6IgbCikRrMZnWhzw3rBIffdv/kb+8RLq5t4xAl9Y04HqfeAFbB
Tr2bqtZ8/7lbgvwBt0vLEppg26zqAq/T3z5ebI2LZdKaBfN8APpM5v4xLwkNFn8v
Vnas4tg3qb0d3NGX+shK9BhgdluTMPJLErxU1qJ9z0LiUZxHWQTlsPJjH8xHfm23
Q9HrAOVYx8te/WCsxNoGIh32bQcEQyh8gdHGIJLtY2/rzcBQZyhHo9BVJ1K/8Gzg
LItEuCGFAy655z0pS2u9iIYclcX+bqYaX7HLqc4dRp80M6wuYRsXmUaEBsz86mMs
4AyXfqP94f0NoOgtkUqoIUnymbnriWxECFxLjime1JzdHBciJIVCXGR1zza4F+g6
dFe5SBsKS+s=
=TW1W
-----END PGP SIGNATURE-----